Bug 802564 (CVE-2012-1162)

Summary: CVE-2012-1162 libzip: heap overflow flaw when processing malformed zip file
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, jorton, scorneli, security-response-team, vvitek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libzip 0.10.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-16 14:54:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 805102, 805104    
Bug Blocks: 802568    

Description Vincent Danen 2012-03-12 21:09:03 UTC 
A heap overflow vulnerability was reported in libzip <= 0.10 when processing certain corrupt zip files.  When libzip opens a zip file, it allocates memory based on the number of directory entries, however ue to an incorrect loop construct in lib/zip_open.c, if the number of directories in the file is set to 0, no memory would be allocated, which could cause libzip to write beyond the allocated memory.

This has already been corrected upstream [1].

[1] http://hg.nih.at/libzip/?cs=906bcce2bc13


Acknowledgements:

Red Hat would like to thank Timo Warns for reporting this issue.
Comment 1 Vincent Danen 2012-03-12 21:10:26 UTC 
While this flaw has been fixed in the upstream repository, no release has been made that includes it, and the extent of the flaw was not discovered until now.
Comment 2 Vincent Danen 2012-03-20 14:48:58 UTC 
This is now public:

http://nih.at/listarchive/libzip-discuss/msg00252.html
Comment 3 Vincent Danen 2012-03-20 14:53:42 UTC 
Created php tracking bugs for this issue

Affects: fedora-all [bug 805104]
Comment 4 Vincent Danen 2012-03-20 14:53:46 UTC 
Created libzip tracking bugs for this issue

Affects: fedora-all [bug 805102]
Comment 8 Stefan Cornelius 2012-03-28 04:26:09 UTC 
The vulnerability was introduced by patch http://hg.nih.at/libzip/?cs=de747816d94c in version 0.10.

Statement:

Not vulnerable. This issue did not affect the versions of libzip and php as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of php53 as shipped with Red Hat Enterprise Linux 5.
Comment 9 Fedora Update System 2012-04-12 02:48:11 UTC 
libzip-0.10.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Stefan Cornelius 2012-04-16 14:54:07 UTC 
Vulnerability was introduced in a version later than shipped with F15 and F16. F17 now ships version 0.10.1, which fixes the issue.
Comment 11 Jan Lieskovsky 2012-07-13 09:40:52 UTC 
References:
http://nih.at/listarchive/libzip-discuss/msg00252.html
http://www.openwall.com/lists/oss-security/2012/03/21/2
http://www.openwall.com/lists/oss-security/2012/03/29/11
http://www.nih.at/libzip/NEWS.html
http://www.gentoo.org/security/en/glsa/glsa-201203-23.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2012:034